Feature request: Add automatic detection score in technique administration file
nbeguier opened this issue · 5 comments
The following command, give us a technique administration file, but only with a visibility score, not any detection score.
python dettect.py ds -fd sample-data/data-sources-endpoints.yaml --yaml
As long as there is no way to configure this score in the editor, by default to -1, I've added a way to use custom key-value pair, "detection_score" in this case, to specify a detection score.
It allows us to manage everything from the Data Sources panel in the editor.
Managing this score directly from Techniques panel was and still is possible, but it's longer because you need to edit every techniques one by one.
This PR: #76
Hi @nbeguier,
I'm trying to understand what you are trying to achieve. What is the use of a detection score per data source?
Currently, each data source adds 1pt to the visibility score and -1pt for detection.
I'm struggling to have a detection layer with scores because it forces me to edit each techniques manually in the file.
As long as we add data sources, we could be able to specify the associated detection score.
That's what I'm trying to do, use the custom key-value pair to set the detection score.
A more intuitive way should be to implement it better in the GUI but it's not the priority.
A data source gives visibility into attack techniques, but it doesn't give you detection capabilities. You need use cases, detection rules or a detection product (e.g. EDR) for that. So that's the reason that you'll get a detection score of -1 by default when adding a data source.
Apart from that, what does a detection score on for example "Process Creation" tell you? Because there are so many ATT&CK techniques ending up in the Process Creation data source, I can't imagine that one detection score for "Process Creation" covers everything.
I agree, but in the same way : "Because there are so many ATT&CK techniques ending up in the Process Creation data source, I can't imagine that one visualization score for "Process Creation" covers everything.". As long as a data source can give a point to every techniqueID associated, it should be similar to detection, isn't it ?
Anyway, we should be able to create "detection techniques" associated to a technique ID, but it would take a lot of time.
You advise me to "use cases, detection rules or a detection product (e.g. EDR) for that", is that possible in the GUI ?
I think you describing the "Location of the detection" in the Techniques panel, right ?
The visualization score is calculated per ATT&CK technique based on the number of data sources that you have for that specific technique. For example, if you look at T1003 OS Credential Dumping. For this technique there are 9 data components (Detection section) defined within ATT&CK. If you have, for example, 5 of these data sources in your organization (defined in DeTT&CT Data Sources section), the visibility score will be calculated based on 5 out of 9. The visibility score in this case would be then 2. This is the way it's calculated:
[data_source_mapping.py]
914: result = (float(ds_count) / float(total_ds_count)) * 100
915: ds_score = 1 if result <= 49 else 2 if result <= 74 else 3 if result <= 99 else 4
Indeed, for detection scores, you define a score per technique mentioning the use case, detection rule or product within the "Location of the detection" field in the Techniques panel.